Tag Archives: office of the national coordinator

HIT/Privacy Timeline from Stimulus Bill

From Dr. John Halamka, CIO of CareGroup Health System in Boston, MA (original post here: The Timeline for ARRA Privacy Provisions), a bookmarked PDF-version of the American Recovery & Reinvestment Act that highlights sections relevant to HIT & privacy: http://ecommons.med.harvard.edu/ec_res/nt/A3B4A28D-987B-4271-B003-5A877B4F4E38/arrabookmarks.pdf

The rough timeline is below:

Upon enactment (February 16, 2009)

  • Application of new tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410)
  • Enforcement by State Attorney Generals for offenses occurring post enactment (Section 13410e)

Within 45 days of enactment (April 3, 2009)

  • Appointment of HIT Policy Committee members (Section 3002b)

Within 60 days of enactment (April 18, 2009)

  • HHS Secretary will issue guidance on methodologies and technologies that render information unreadable (Section 13402)

Within 180 ays of enactment (August 16, 2009)

  • HHS and the Federal Trade Commission will promulgate interim final regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA or Business Associate agreements (Section 13402, 13407)

By December 31, 2009

  • HHS must adopt through rulemaking the initial prioritized set of standards which should include the accounting for disclosures (Section 3002b)

Due within one year post enactment (February 17, 2010)

  • The Secretary will appoint a Chief Privacy Officer (Section 3001)
  • The Office of Civil Rights and HHS will launch an education initiative to improve public transparency on the use of health information (Section 13403)
  • The Government Accountability Office will report on best practices for disclosures for treatment and use of electronic informed consent (Section 13424)
  • HHS will report on and provide guidance on de-identification (section 13424c)
  • Covered entities must enter into Business Associate Agreements with PHRs, HIEs, and other services that handle projected health information (Section 13405e)
  • HHS will issue rules on opting out of fundraising solicitations (Section 13406)
  • HHS will report on guidance on the effective technical safeguards for carrying out the HIPAA security rule (Section 13401c)
  • HHS and the Federal Trade Commission will report on privacy and security requirements for PHR vendors and applications

One year post enactment (February 17, 2010)

  • HHS and the Office of Civil Rights clarify application of criminal penalties for non-covered entities (Section 13409)
  • HHS to issue rules on which entities are required to be business associates (Section 13401)
  • Right to restrict disclosures to health plans for services paid for out of pocket (Section 13405a)
  • HHS Secretary required to conduct periodic audits of entities covered by HIPAA (Section 13411)
  • Right of electronic access of records by patients takes effect (Section 13405e)

Within 18 months of enactment (August 17, 2010)

  • HHS guidance on minimum necessary data (Section 13405c)
  • Regulations regarding sale of data prohibition which take effect 6 months post promulgation (Section 13405a)

By 2011

  • Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)

24 months post enactment (February 17, 2011)

  • Clarification of ability to pursue civil penalties when criminal penalties are not pursued (Section 13405)

By 2012

  • Regulations for methodology for distributing penalties or settlement money to harmed individuals (Section 13410)

By 2013

  • Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)

By 2014

  • GAO will report on the impact of ARRA (Section 13424)
  • Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)

By 2016

  • Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)

What is an EHR?

There is actually a lot of discussion still taking place about what an electronic health record (EHR) actually is. Earlier this decade, a survey taken at a convention of EHR vendors and hospitals estimated EHR adoption at 60%. This information was used by the Bush administration in 2004 to justify formation of the Office of the National Coordinator for Health IT (ONC) and to set the goal of 90% of Americans having electronic health records by 2014. One decade seemed reasonable given the 60% adoption rate. We now know that the adoption rate among hospitals is closer to 10%, with 10-25% currently in planning or implementation stages.

Part of the problem is in the definition. The survey simply asked if care providers had electronic records. But that could mean patient information, a billing and claims system, electronic order entry, or any number of things. The Institute of Medicine released a report in 2003, Key Capabilities of an Electronic Health Record System, that attempted to solve this, and identified the following core functionalities of EHR:

  1. Health information and data
  2. Results management
  3. Order entry/order management
  4. Decision support
  5. Electronic communication and connectivity
  6. Patient support
  7. Administrative processes
  8. Reporting and population health management

The 4 in bold might be considered the bare minimum. Administrative processes are certainly important to the operations of a hospital, but these are historically separate systems focused on billing and insurance claims. Oddly enough, evidence has shown that providers that initially adopt electronic billing systems are no more likely to adopt EHR than those without it. Treating electronic billing as a first step, then, doesn’t work.